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Abstract: A quantum digital signature scheme based on quantum 
mechanics is proposed in this paper. The security of the protocol relies 
on the existence of quantum one-way functions by fundamental quantum 
principles. Our protocol involves a so-called arbitrator who validates and 
authenticates the signed message. This scheme uses public quantum keys 
to sign message and uses quantum one-time pad to ensure the security 
of quantum information on channel. To guarantee the authenticity of 
the transmitted quantum states, a family of quantum stabilizer code is 
employed. The proposed scheme presents a novel method to construct 
secure quantum signature systems for future secure communications. 
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1 Introduction 

Quantum cryptography aims at providing information security that relies 

on the main properties of quantum mechanics. The most successful topic 

of quantum cryptography is quantum key distribution (QKD), which was 

firstly invented by Bennett and Brassard in 1984 y[j. QKD is believed to 

be the first practical quantum information processor and its unconditional 

security has been proven j2l3j . 

Other than QKD, quantum cryptography protocols are widely studied 

in these years, such as quantum digital signature and quantum message 
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authentication. Digital signature is a main task in modern cryptography 
and is widely used in today's communication systems. Digital signature 
cares about the "authenticity" data on channel [1]. Informally, an un- 
forgeable signature scheme requires that each user be able to efficiently 
generate his(her) own signature and verify the validity of another user's 
signature on a specific document, and no one be able to efficiently gen- 
erate the signatures of other users to documents that those users didn't 
sign. 

Gottesman and Chuang proposed a quantum digital system based 
on quantum mechanics, and claimed that the scheme was absolutely 
secure, even against an adversary having unlimited computational re- 
sources. The scheme, however, can only sign classical bits string and can't 
deal with general quantum superposition states. Zeng presented an arbi- 
trated quantum signature scheme, the security of which is due to the 
correlation of the GHZ triplet states and utilization of quantum one-time 
pad [S].In an arbitrated signature scheme, all communications involve 
a so called arbitrator who has access to the contents of the messages 
|7j. The security of most arbitrated signature schemes depends heavily 
on the trustworthiness of the arbitrators. Zeng's protocol signs quantum 
messages which are known to the signatory. It seems impossible to sign a 
general unknown quantum state I5I6I8I. 

In this paper, we present a novel arbitrated quantum digital signature 
scheme which can sign general quantum states, the security of which is 
based on a family of quantum one-way functions by quantum information 
theory. This article is arranged as below. 

Section 2 introduces some definitions and preliminaries we will use in 
the article. Section 3 describes the proposed quantum signature scheme. 
The security is considered in Section 4. Section 5 gives discussions and 
conclusions. 
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2 Preliminaries 

2.1 Quantum one-way function 

This section introduces a class of quantum one-way functions based on 
the fundamental principles of quantum mechanics, which was proposed 
by Gottesman and Chuang 151 and the definitions are presented as below. 

Definition 1 (quantum one-way function ). A function f : \x)n^ 
\f{x))n2 where x G -F^^ and ni ^ n2, is called a quantum one-way func- 
tion under physical mechanics if 

(1) Easy to compute: There is a quantum polynomial-time algorithm 
A such that on input \x) outputs \f{x)). 

(2) Hard to invert: Given \f{x)), it is impossible to invert x by virtue 
of fundamental quantum information theory. 

What should be pointed out for the above definition is that the con- 
dition Hi ^ 722 is necessary. By Holevo's theorem |1U| . no more than 
n classical bits of information can be obtained by measuring n qubits 
quantum states. Several means to construct quantum one-way function 
were introduced by Gottesman and Chuang |Sj and here we choose the 
quantum fingerprinting function llj for the candidate. The quantum fin- 
gerprinting function of a bit string u £ F2 is 

1 m 

where E : {0, 1}'" {0, 1}™ is a family of error correcting code with 
fixed c>l,0<5<l and m = cw. Ei{u) denotes the Ith bit of E{u). 
The distance between distinct code words E{ui) and E{u2) is at least 
(1 — 5)m. Since two distinct code words can be equal in at most 5m 
positions, for any ui 7^ U2 we have {f{ui)\f{u2)) < 5m/m = 5. Here f{u) 
can be regarded as a class of quantum one-way functions, which are easy 
to compute, but difficult to reverse. 
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2.2 Quantum stabilizer codes 

Quantum error correction code (QECC) is a way of encoding quantum 
data (having m qubits) into n qubits (m<n), which protects quantum 
states against the effects of noise. Quantum stabihzer code is an impor- 
tant class of QECC and has been used to the other subject of quantum 
information, such as quantum cryptography pTO] . 

The Pauli operators {±1, ±ax, iCy, icz} constitute a group of order 
8. The n-fold tensor products of single qubit Pauli operators also form a 
group Gn = ±{I , ±crx, icFy, ±az} , of order 2^"+^. We refer to Gn as the 
n-qubit Pauli group. Let S denote an abelian subgroup of the n-qubit 
Pauli group G„. Then the stabilizer codes Hs ^ H22n satisfy, 

\i^)eHs,iff M|V) = |^) for all MeS (2) 

The group S is called the stabilizer of the code, since it preserves all 
of the codewords. 

For stabilizer codes [[n, k, d]], the generators Mj and the errors Ea, 
write 

MiEa = {-lf'''EaM„i = l,---,n-k (3) 

The s'^^s constitute a syndrome for the error Ea, as (—1)"^*" will be 
the result of measuring Mj if the error Ea happens. For a nondegenerate 
code, s'^aS will be distinct for all Ea G e, so that measuring the n — k 
stabilizer generators will diagnose the error completely. 

3 The Proposed Protocol 
3.1 Security requirements 

The proposed scheme is a cryptographic protocol involving three entities: 
a signatory Alice, a receiver Bob, and an arbitrator Trent who authen- 
ticates and validates the signed message. The security of the signature 
scheme depends much on the trustworthiness of the arbitrator who has 
access to the contents of the messages. The quantum digital signature 
discussed in this article should meet the following security conditions: 
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1. Each user (Ahce) can efficiently generate her own signature on mes- 
sages of his choice; 

2. A receiver Bob can efficiently verify whether a given string is a signa- 
ture of another user's on specific message with Trent's help; 

3. The signatory can't disavow the message that she has signed; 

4. It is infeasible to produce signatures of other users' messages they 
haven't signed. 

3.2 The protocol 
Key generation 

1. Key distribution. Alice, Bob and Trent agree on some random bits 
Kat, Kab and Ktb as their private keys. Kat is shared between 
Alice and Trent, Kab is shared between Alice and Bob and Ktb 
between Trent and Bob . 

To ensure that the scheme is unconditionally secure, the keys can 
be generated using quantum key distribution protocols, such as BB84 
or EPR protocol [Tirnj . 

2. Signature key generation. Alice generates 2k random secret strings 
Uij S F2 and computes 

\yi,3) = \f{ui,j)), 1 < i < 2n,i G {0, 1} (4) 

Here f : \x) ^ is a class of quantum one-way functions intro- 

duced in section 2. Alice generates An key pairs of |2/j,j)}jf|o 1} 
and then publicly announces {|yi,i)}jf|o 1} ^ public key and keeps 

r -1 l<i<2n i ■ j. i 

l^j,iljG{o,i} ^ ^^"^ private key. 
Signature 

1. Suppose Alice has a quantum state I?/') G 7^2" and wants to send it to 
Bob. Alice randomly selects bits strings x E -F^"' ^ the stabilizer 
codes {Qk} and s. She g-encrypts IV') as p using x. Alice encodes p 
according to with syndromes s and obtains vr. 
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2. Alice computes 

X = (Xpr-e,,, ®y)\\[Xsuh^_^,^f (5) 

and generates four copies of X' s signature \Sk{X)) according to her 
key K G {u,j, \yi,j)\l <i<2n,j e {0, 1}} 



\SKiX)) = \yi,xi ... y2n,X2„) = |ai (g) . . . (g) a2n) = \a) (6) 

Alice sends vr and two copies of \Uk{X)) to Bob. At the same time, 
she encrypts {s, k, x} as Ci using Kat ^ and sends Ci and two copies 
of \UKiX)) to Trent. We assume that each setting up of a protocol 
has a unique sequence number. 

Verification 

1. Trent receives C[ and two copies of \U'j^{X)) = \a'). Trent checks 
whether these two copies of \U'j^{x)) he recieved are equivalent by 
performing a quantum swap test circuit (QSTC j^J). If any one of 
|a^)'s fails the test, Trent aborts the protocol. Trent decrypts C[ using 
his secure key Kat and obtains {st, ^t, xt}- He computes \Sk{X){t)) 
according to xt and Alice's public keys. Trent compares \SKiX)(^T)) = 
|a)r to \U'j^{X)). If any one of them fails the test, Trent aborts the 
protocol. Trent encrypts {kx^xx} as C2 using Ktb and sends the 
ciphertext to Bob. 

The comparison of two quantum states is less straightforward than 
in the classical case because of the statistical properties of quantum 
measurements. Another serious problem is that quantum measure- 
ments usually introduce a noneligible disturbance of the measured 

^ Suppose s < 2n in the algorithm. Here, 3:pre^^^ denotes the first \y\ bits of x and 
Xsuf2„_iyi denotes the last 2n — |y| bits of x, a (B b means the bit-by-bit XOR of 
the strings a and b, namely a © fe = ai © 61, • • • © bm- The symbol "||" means 
concatenation of two binary strings. 

^ In this algorithm, we select classical one-time-pad to encrypt classical message to 
ensure the unconditional security. 
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state. Here, we use the quantum swap test circuit (QSTC) proposed 
in JJI to compare whether \ai)T and \a'^ are equivalent or not. QSTC 
is a comparison strategy with one-sided error probabihty (1 + (5^/2), 
and each pair of the compared qubits has an inner product with an 
absolute value at most 5. Because there are 2n sets of qubits to be 
compared, the error probability of the test can be reduced to (^-^)^", 
where {fi\fj) < 6 with i ^ j, and n is the security parameter. Let the 
number of the incorrect keys be ej, Bob rejects it as invalid signature 
if Cj > cM. Here c is a threshold for rejection and acceptance in the 
protocol. 

2. Bob has received Alice's information [tt' ,\U'^{X)) = \a")], tt' and 
Trent's message C2 now. He deciphers C2 as {kB,XB} and computes 
Xb according to Eq.(5). He measures the syndrome sb of the stabilizer 
code Qk on tt' and decodes the qubits as p' . He encrypts s_b as C3 using 
parts of Ktb and sends it to Trent. 

3. Trent encrypts st as C4 using parts of Ktb and sends it to Bob. 

4. Bob deciphers C4 and obtains st- He compares sb to st and aborts if 
any error is detected. Bob checks whether these two copies of \U'^{X)) 
are equivalent by performing the QSTC. He computes quantum states 
\Z:{X))b = \a)B using Xb and Alice's public keys {|yj,i)}]|{o,i} ■ 
verifies Alice's signature according to 

Vk{Xb, \I^'k{X))) = True ^ {|a^) = \yi,x^ = |<)B}i<^<2n (7) 

Bob g-decrypts p' as \ip') according to xb- 

4 Security Analysis 
4.1 Correctness 

Theorem 1 (Correctness). Suppose all the entities involved in the scheme 
follow the protocol, then Eq. (7) holds. 

Proof. The correctness of the scheme can be seen by inspection. In the 
absence of intervention, Trent will obtain Alice's key s, x, k and her sig- 
nature of X. Trent verifies the signature and sends x, k secretly to Bob. 
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Bob can successfully decode and decipher the quantum states and verify 
Alice's signature. Because Alice signs her message according to Eq. (6), 
it's easy to verify that Eq. (7) holds. 

4.2 Security against repudiation 

Alice can't deny her signature. When Alice disavows her signature, Bob 
will resort to Trent. Bob sends one copy of the signature \E'^{X)) to 
Trent. Trent compares sb and \E'I^{X)) with st and his kept copy of 
signature \E'j^{X)) Alice has sent to him. If all these pass the test, Trent 
reveals that Alice is cheating because \X!k{X)) contains Alice's signature 
on her private keys x and s. Otherwise, Trent concludes that the signature 
has been forged by Bob or other attackers. 

4.3 Security against forgery 

Theorem 2. Other entities forge Alice's signature with a successful proh- 
ahility at most 2- ^032^1 )+2n] ^ 

Proof. Considering that an adversary (Eve or Bob) controls the com- 
munication channels connecting Alice, Trent and Bob and wants to forger 
Alice's signature. Here we present two strategies that the attack Eve 
(Bob) can apply. 

1. One is that she tries to alter the signed quantum states. Eve inter- 
cepts [i:' ,\U'j^{X))]. She keeps vr' and selects a random key xe to 
encrypt another quantum states |</)) as r and sends [r, \ E'K{X))] to 
Bob. Because Eve knows nothing about the stabilizer code {Qk\ and 
syndrome s, her cheating will be detected by Bob in the fourth step 
of the verification phase when he compares the syndrome y to y' . 

2. The second strategy is that the attacker tries to recover Alice's pri- 
vate keys and generates a "legal" signature. Because she knows noth- 
ing about Alice's private keys x, y, /c, Kat and {^iijl^fjo 1} • She can't 
compute x,y,k from the mixed state vr'. According to Holevo's theo- 
rem ^Oj, Eve can obtain at most t\log2m\ bits of classical information 
about one of Alice's signature key {uij} from Alice's public key. Here, 
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t is a small natural number and we let c = 4 in our scheme. Since she 
lacks w — t\log2Tn\ bits of information about any private key which Al- 
ice hasn't revealed, she will only guess correctly at most 2~["'~*r'o92ml] 
of it. Therefore, the attacker can forger Alice's signature only with a 
successful probability less than 2-[("'-*r'o92ml)+2n] _ 



5 Concluding Remarks 

Designing quantum digital signature protocol is not trivial because of 
several fundamental properties of quantum message. 

The first and the most important property of quantum information 
is the no-clone theorem, which forbids the unknown qubits reproduction. 
For digital signature, how can we verify the signature is indeed the signa- 
ture on a specific state without generating copies of the original message? 

The second is the probability and irreversibility properties of quantum 
measurement. That brings much troubles to decide whether a state is a 
legal signature without changing that state. 

The last property of secure quantum signature scheme is that it is 
also a secure encryption scheme, which has been shown by Barnum et al. 
in literature |S]. 

In this article, we investigate how to span these obstacles and present 
a quantum digital signature scheme. The security of the scheme relies 
on the existence of a family of quantum one-way functions by quantum 
principles. The authenticity of the quantum information is obtained by 
quantum error correction codes and security of the quantum information 
on channel is ensured by quantum one-time pad. 
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